{"schema_version":"1.7.2","id":"OESA-2024-1996","modified":"2024-08-16T11:08:50Z","published":"2024-08-16T11:08:50Z","upstream":["CVE-2022-48860","CVE-2024-39509","CVE-2024-41012","CVE-2024-41034","CVE-2024-41035","CVE-2024-41046","CVE-2024-41059","CVE-2024-41065","CVE-2024-41087","CVE-2024-42084","CVE-2024-42087","CVE-2024-42089","CVE-2024-42096","CVE-2024-42102","CVE-2024-42105","CVE-2024-42143","CVE-2024-42148","CVE-2024-42154","CVE-2024-42157","CVE-2024-42160","CVE-2024-42223","CVE-2024-42244"],"summary":"kernel security update","details":"The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nethernet: Fix error handling in xemaclite_of_probe\r\n\r\nThis node pointer is returned by of_parse_phandle() with refcount\nincremented in this function. Calling of_node_put() to avoid the\nrefcount leak. As the remove function do.(CVE-2022-48860)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nHID: core: remove unnecessary WARN_ON() in implement()\r\n\r\nSyzkaller hit a warning [1] in a call to implement() when trying\nto write a value into a field of smaller size in an output report.\r\n\r\nSince implement() already has a warn message printed out with the\nhelp of hid_warn() and value in question gets trimmed with:\n\t...\n\tvalue \u0026amp;= m;\n\t...\nWARN_ON may be considered superfluous. Remove it to suppress future\nsyzkaller triggers.\r\n\r\n[1]\nWARNING: CPU: 0 PID: 5084 at drivers/hid/hid-core.c:1451 implement drivers/hid/hid-core.c:1451 [inline]\nWARNING: CPU: 0 PID: 5084 at drivers/hid/hid-core.c:1451 hid_output_report+0x548/0x760 drivers/hid/hid-core.c:1863\nModules linked in:\nCPU: 0 PID: 5084 Comm: syz-executor424 Not tainted 6.9.0-rc7-syzkaller-00183-gcf87f46fd34d #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024\nRIP: 0010:implement drivers/hid/hid-core.c:1451 [inline]\nRIP: 0010:hid_output_report+0x548/0x760 drivers/hid/hid-core.c:1863\n...\nCall Trace:\n \u0026lt;TASK\u0026gt;\n __usbhid_submit_report drivers/hid/usbhid/hid-core.c:591 [inline]\n usbhid_submit_report+0x43d/0x9e0 drivers/hid/usbhid/hid-core.c:636\n hiddev_ioctl+0x138b/0x1f00 drivers/hid/usbhid/hiddev.c:726\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:904 [inline]\n __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:890\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n...(CVE-2024-39509)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nfilelock: Remove locks reliably when fcntl/close race is detected\r\n\r\nWhen fcntl_setlk() races with close(), it removes the created lock with\ndo_lock_file_wait().\nHowever, LSMs can allow the first do_lock_file_wait() that created the lock\nwhile denying the second do_lock_file_wait() that tries to remove the lock.\nSeparately, posix_lock_file() could also fail to\nremove a lock due to GFP_KERNEL allocation failure (when splitting a range\nin the middle).\r\n\r\nAfter the bug has been triggered, use-after-free reads will occur in\nlock_get_status() when userspace reads /proc/locks. This can likely be used\nto read arbitrary kernel memory, but can\u0026apos;t corrupt kernel memory.\r\n\r\nFix it by calling locks_remove_posix() instead, which is designed to\nreliably get rid of POSIX locks associated with the given file and\nfiles_struct and is also used by filp_flush().(CVE-2024-41012)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnilfs2: fix kernel bug on rename operation of broken directory\r\n\r\nSyzbot reported that in rename directory operation on broken directory on\nnilfs2, __block_write_begin_int() called to prepare block write may fail\nBUG_ON check for access exceeding the folio/page size.\r\n\r\nThis is because nilfs_dotdot(), which gets parent directory reference\nentry (\u0026quot;..\u0026quot;) of the directory to be moved or renamed, does not check\nconsistency enough, and may return location exceeding folio/page size for\nbroken directories.\r\n\r\nFix this issue by checking required directory entries (\u0026quot;.\u0026quot; and \u0026quot;..\u0026quot;) in\nthe first chunk of the directory in nilfs_dotdot().(CVE-2024-41034)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nUSB: core: Fix duplicate endpoint bug by clearing reserved bits in the descriptor\r\n\r\nSyzbot has identified a bug in usbcore (see the Closes: tag below)\ncaused by our assumption that the reserved bits in an endpoint\ndescriptor\u0026apos;s bEndpointAddress field will always be 0.  As a result of\nthe bug, the endpoint_is_duplicate() routine in config.c (and possibly\nother routines as well) may believe that two descriptors are for\ndistinct endpoints, even though they have the same direction and\nendpoint number.  This can lead to confusion, including the bug\nidentified by syzbot (two descriptors with matching endpoint numbers\nand directions, where one was interrupt and the other was bulk).\r\n\r\nTo fix the bug, we will clear the reserved bits in bEndpointAddress\nwhen we parse the descriptor.  (Note that both the USB-2.0 and USB-3.1\nspecs say these bits are \u0026quot;Reserved, reset to zero\u0026quot;.)  This requires us\nto make a copy of the descriptor earlier in usb_parse_endpoint() and\nuse the copy instead of the original when checking for duplicates.(CVE-2024-41035)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: ethernet: lantiq_etop: fix double free in detach\r\n\r\nThe number of the currently released descriptor is never incremented\nwhich results in the same skb being released multiple times.(CVE-2024-41046)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nhfsplus: fix uninit-value in copy_name\r\n\r\n[syzbot reported]\nBUG: KMSAN: uninit-value in sized_strscpy+0xc4/0x160\n sized_strscpy+0xc4/0x160\n copy_name+0x2af/0x320 fs/hfsplus/xattr.c:411\n hfsplus_listxattr+0x11e9/0x1a50 fs/hfsplus/xattr.c:750\n vfs_listxattr fs/xattr.c:493 [inline]\n listxattr+0x1f3/0x6b0 fs/xattr.c:840\n path_listxattr fs/xattr.c:864 [inline]\n __do_sys_listxattr fs/xattr.c:876 [inline]\n __se_sys_listxattr fs/xattr.c:873 [inline]\n __x64_sys_listxattr+0x16b/0x2f0 fs/xattr.c:873\n x64_sys_call+0x2ba0/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:195\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\r\n\r\nUninit was created at:\n slab_post_alloc_hook mm/slub.c:3877 [inline]\n slab_alloc_node mm/slub.c:3918 [inline]\n kmalloc_trace+0x57b/0xbe0 mm/slub.c:4065\n kmalloc include/linux/slab.h:628 [inline]\n hfsplus_listxattr+0x4cc/0x1a50 fs/hfsplus/xattr.c:699\n vfs_listxattr fs/xattr.c:493 [inline]\n listxattr+0x1f3/0x6b0 fs/xattr.c:840\n path_listxattr fs/xattr.c:864 [inline]\n __do_sys_listxattr fs/xattr.c:876 [inline]\n __se_sys_listxattr fs/xattr.c:873 [inline]\n __x64_sys_listxattr+0x16b/0x2f0 fs/xattr.c:873\n x64_sys_call+0x2ba0/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:195\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n[Fix]\nWhen allocating memory to strbuf, initialize memory to 0.(CVE-2024-41059)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\npowerpc/pseries: Whitelist dtl slub object for copying to userspace\r\n\r\nReading the dispatch trace log from /sys/kernel/debug/powerpc/dtl/cpu-*\nresults in a BUG() when the config CONFIG_HARDENED_USERCOPY is enabled as\nshown below.\r\n\r\n    kernel BUG at mm/usercopy.c:102!\n    Oops: Exception in kernel mode, sig: 5 [#1]\n    LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA pSeries\n    Modules linked in: xfs libcrc32c dm_service_time sd_mod t10_pi sg ibmvfc\n    scsi_transport_fc ibmveth pseries_wdt dm_multipath dm_mirror dm_region_hash dm_log dm_mod fuse\n    CPU: 27 PID: 1815 Comm: python3 Not tainted 6.10.0-rc3 #85\n    Hardware name: IBM,9040-MRX POWER10 (raw) 0x800200 0xf000006 of:IBM,FW1060.00 (NM1060_042) hv:phyp pSeries\n    NIP:  c0000000005d23d4 LR: c0000000005d23d0 CTR: 00000000006ee6f8\n    REGS: c000000120c078c0 TRAP: 0700   Not tainted  (6.10.0-rc3)\n    MSR:  8000000000029033 \u0026lt;SF,EE,ME,IR,DR,RI,LE\u0026gt;  CR: 2828220f  XER: 0000000e\n    CFAR: c0000000001fdc80 IRQMASK: 0\n    [ ... GPRs omitted ... ]\n    NIP [c0000000005d23d4] usercopy_abort+0x78/0xb0\n    LR [c0000000005d23d0] usercopy_abort+0x74/0xb0\n    Call Trace:\n     usercopy_abort+0x74/0xb0 (unreliable)\n     __check_heap_object+0xf8/0x120\n     check_heap_object+0x218/0x240\n     __check_object_size+0x84/0x1a4\n     dtl_file_read+0x17c/0x2c4\n     full_proxy_read+0x8c/0x110\n     vfs_read+0xdc/0x3a0\n     ksys_read+0x84/0x144\n     system_call_exception+0x124/0x330\n     system_call_vectored_common+0x15c/0x2ec\n    --- interrupt: 3000 at 0x7fff81f3ab34\r\n\r\nCommit 6d07d1cd300f (\u0026quot;usercopy: Restrict non-usercopy caches to size 0\u0026quot;)\nrequires that only whitelisted areas in slab/slub objects can be copied to\nuserspace when usercopy hardening is enabled using CONFIG_HARDENED_USERCOPY.\nDtl contains hypervisor dispatch events which are expected to be read by\nprivileged users. Hence mark this safe for user access.\nSpecify useroffset=0 and usersize=DISPATCH_LOG_BYTES to whitelist the\nentire object.(CVE-2024-41065)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nata: libata-core: Fix double free on error\r\n\r\nIf e.g. the ata_port_alloc() call in ata_host_alloc() fails, we will jump\nto the err_out label, which will call devres_release_group().\ndevres_release_group() will trigger a call to ata_host_release().\nata_host_release() calls kfree(host), so executing the kfree(host) in\nata_host_alloc() will lead to a double free:\r\n\r\nkernel BUG at mm/slub.c:553!\nOops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 11 PID: 599 Comm: (udev-worker) Not tainted 6.10.0-rc5 #47\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014\nRIP: 0010:kfree+0x2cf/0x2f0\nCode: 5d 41 5e 41 5f 5d e9 80 d6 ff ff 4d 89 f1 41 b8 01 00 00 00 48 89 d9 48 89 da\nRSP: 0018:ffffc90000f377f0 EFLAGS: 00010246\nRAX: ffff888112b1f2c0 RBX: ffff888112b1f2c0 RCX: ffff888112b1f320\nRDX: 000000000000400b RSI: ffffffffc02c9de5 RDI: ffff888112b1f2c0\nRBP: ffffc90000f37830 R08: 0000000000000000 R09: 0000000000000000\nR10: ffffc90000f37610 R11: 617461203a736b6e R12: ffffea00044ac780\nR13: ffff888100046400 R14: ffffffffc02c9de5 R15: 0000000000000006\nFS:  00007f2f1cabe980(0000) GS:ffff88813b380000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f2f1c3acf75 CR3: 0000000111724000 CR4: 0000000000750ef0\nPKRU: 55555554\nCall Trace:\n \u0026lt;TASK\u0026gt;\n ? __die_body.cold+0x19/0x27\n ? die+0x2e/0x50\n ? do_trap+0xca/0x110\n ? do_error_trap+0x6a/0x90\n ? kfree+0x2cf/0x2f0\n ? exc_invalid_op+0x50/0x70\n ? kfree+0x2cf/0x2f0\n ? asm_exc_invalid_op+0x1a/0x20\n ? ata_host_alloc+0xf5/0x120 [libata]\n ? ata_host_alloc+0xf5/0x120 [libata]\n ? kfree+0x2cf/0x2f0\n ata_host_alloc+0xf5/0x120 [libata]\n ata_host_alloc_pinfo+0x14/0xa0 [libata]\n ahci_init_one+0x6c9/0xd20 [ahci]\r\n\r\nEnsure that we will not call kfree(host) twice, by performing the kfree()\nonly if the devres_open_group() call failed.(CVE-2024-41087)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nftruncate: pass a signed offset\r\n\r\nThe old ftruncate() syscall, using the 32-bit off_t misses a sign\nextension when called in compat mode on 64-bit architectures.  As a\nresult, passing a negative length accidentally succeeds in truncating\nto file size between 2GiB and 4GiB.\r\n\r\nChanging the type of the compat syscall to the signed compat_off_t\nchanges the behavior so it instead returns -EINVAL.\r\n\r\nThe native entry point, the truncate() syscall and the corresponding\nloff_t based variants are all correct already and do not suffer\nfrom this mistake.(CVE-2024-42084)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/panel: ilitek-ili9881c: Fix warning with GPIO controllers that sleep\r\n\r\nThe ilitek-ili9881c controls the reset GPIO using the non-sleeping\ngpiod_set_value() function. This complains loudly when the GPIO\ncontroller needs to sleep. As the caller can sleep, use\ngpiod_set_value_cansleep() to fix the issue.(CVE-2024-42087)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nASoC: fsl-asoc-card: set priv-\u0026gt;pdev before using it\r\n\r\npriv-\u0026gt;pdev pointer was set after being used in\nfsl_asoc_card_audmux_init().\nMove this assignment at the start of the probe function, so\nsub-functions can correctly use pdev through priv.\r\n\r\nfsl_asoc_card_audmux_init() dereferences priv-\u0026gt;pdev to get access to the\ndev struct, used with dev_err macros.\nAs priv is zero-initialised, there would be a NULL pointer dereference.\nNote that if priv-\u0026gt;dev is dereferenced before assignment but never used,\nfor example if there is no error to be printed, the driver won\u0026apos;t crash\nprobably due to compiler optimisations.(CVE-2024-42089)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nx86: stop playing stack games in profile_pc()\r\n\r\nThe \u0026apos;profile_pc()\u0026apos; function is used for timer-based profiling, which\nisn\u0026apos;t really all that relevant any more to begin with, but it also ends\nup making assumptions based on the stack layout that aren\u0026apos;t necessarily\nvalid.\r\n\r\nBasically, the code tries to account the time spent in spinlocks to the\ncaller rather than the spinlock, and while I support that as a concept,\nit\u0026apos;s not worth the code complexity or the KASAN warnings when no serious\nprofiling is done using timers anyway these days.\r\n\r\nAnd the code really does depend on stack layout that is only true in the\nsimplest of cases.  We\u0026apos;ve lost the comment at some point (I think when\nthe 32-bit and 64-bit code was unified), but it used to say:\r\n\r\n\tAssume the lock function has either no stack frame or a copy\n\tof eflags from PUSHF.\r\n\r\nwhich explains why it just blindly loads a word or two straight off the\nstack pointer and then takes a minimal look at the values to just check\nif they might be eflags or the return pc:\r\n\r\n\tEflags always has bits 22 and up cleared unlike kernel addresses\r\n\r\nbut that basic stack layout assumption assumes that there isn\u0026apos;t any lock\ndebugging etc going on that would complicate the code and cause a stack\nframe.\r\n\r\nIt causes KASAN unhappiness reported for years by syzkaller [1] and\nothers [2].\r\n\r\nWith no real practical reason for this any more, just remove the code.\r\n\r\nJust for historical interest, here\u0026apos;s some background commits relating to\nthis code from 2006:\r\n\r\n  0cb91a229364 (\u0026quot;i386: Account spinlocks to the caller during profiling for !FP kernels\u0026quot;)\n  31679f38d886 (\u0026quot;Simplify profile_pc on x86-64\u0026quot;)\r\n\r\nand a code unification from 2009:\r\n\r\n  ef4512882dbe (\u0026quot;x86: time_32/64.c unify profile_pc\u0026quot;)\r\n\r\nbut the basics of this thing actually goes back to before the git tree.(CVE-2024-42096)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nRevert \u0026quot;mm/writeback: fix possible divide-by-zero in wb_dirty_limits(), again\u0026quot;\r\n\r\nPatch series \u0026quot;mm: Avoid possible overflows in dirty throttling\u0026quot;.\r\n\r\nDirty throttling logic assumes dirty limits in page units fit into\n32-bits.  This patch series makes sure this is true (see patch 2/2 for\nmore details).\r\n\r\n\nThis patch (of 2):\r\n\r\nThis reverts commit 9319b647902cbd5cc884ac08a8a6d54ce111fc78.\r\n\r\nThe commit is broken in several ways.  Firstly, the removed (u64) cast\nfrom the multiplication will introduce a multiplication overflow on 32-bit\narchs if wb_thresh * bg_thresh \u0026gt;= 1\u0026lt;\u0026lt;32 (which is actually common - the\ndefault settings with 4GB of RAM will trigger this).  Secondly, the\ndiv64_u64() is unnecessarily expensive on 32-bit archs.  We have\ndiv64_ul() in case we want to be safe \u0026amp; cheap.  Thirdly, if dirty\nthresholds are larger than 1\u0026lt;\u0026lt;32 pages, then dirty balancing is going to\nblow up in many other spectacular ways anyway so trying to fix one\npossible overflow is just moot.(CVE-2024-42102)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnilfs2: fix inode number range checks\r\n\r\nPatch series \u0026quot;nilfs2: fix potential issues related to reserved inodes\u0026quot;.\r\n\r\nThis series fixes one use-after-free issue reported by syzbot, caused by\nnilfs2\u0026apos;s internal inode being exposed in the namespace on a corrupted\nfilesystem, and a couple of flaws that cause problems if the starting\nnumber of non-reserved inodes written in the on-disk super block is\nintentionally (or corruptly) changed from its default value.  \r\n\r\n\nThis patch (of 3):\r\n\r\nIn the current implementation of nilfs2, \u0026quot;nilfs-\u0026gt;ns_first_ino\u0026quot;, which\ngives the first non-reserved inode number, is read from the superblock,\nbut its lower limit is not checked.\r\n\r\nAs a result, if a number that overlaps with the inode number range of\nreserved inodes such as the root directory or metadata files is set in the\nsuper block parameter, the inode number test macros (NILFS_MDT_INODE and\nNILFS_VALID_INODE) will not function properly.\r\n\r\nIn addition, these test macros use left bit-shift calculations using with\nthe inode number as the shift count via the BIT macro, but the result of a\nshift calculation that exceeds the bit width of an integer is undefined in\nthe C specification, so if \u0026quot;ns_first_ino\u0026quot; is set to a large value other\nthan the default value NILFS_USER_INO (=11), the macros may potentially\nmalfunction depending on the environment.\r\n\r\nFix these issues by checking the lower bound of \u0026quot;nilfs-\u0026gt;ns_first_ino\u0026quot; and\nby preventing bit shifts equal to or greater than the NILFS_USER_INO\nconstant in the inode number test macros.\r\n\r\nAlso, change the type of \u0026quot;ns_first_ino\u0026quot; from signed integer to unsigned\ninteger to avoid the need for type casting in comparisons such as the\nlower bound check introduced this time.(CVE-2024-42105)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\norangefs: fix out-of-bounds fsid access\r\n\r\nArnd Bergmann sent a patch to fsdevel, he says:\r\n\r\n\u0026quot;orangefs_statfs() copies two consecutive fields of the superblock into\nthe statfs structure, which triggers a warning from the string fortification\nhelpers\u0026quot;\r\n\r\nJan Kara suggested an alternate way to do the patch to make it more readable.\r\n\r\nI ran both ideas through xfstests and both seem fine. This patch\nis based on Jan Kara\u0026apos;s suggestion.(CVE-2024-42143)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbnx2x: Fix multiple UBSAN array-index-out-of-bounds\r\n\r\nFix UBSAN warnings that occur when using a system with 32 physical\ncpu cores or more, or when the user defines a number of Ethernet\nqueues greater than or equal to FP_SB_MAX_E1x using the num_queues\nmodule parameter.\r\n\r\nCurrently there is a read/write out of bounds that occurs on the array\n\u0026quot;struct stats_query_entry query\u0026quot; present inside the \u0026quot;bnx2x_fw_stats_req\u0026quot;\nstruct in \u0026quot;drivers/net/ethernet/broadcom/bnx2x/bnx2x.h\u0026quot;.\nLooking at the definition of the \u0026quot;struct stats_query_entry query\u0026quot; array:\r\n\r\nstruct stats_query_entry query[FP_SB_MAX_E1x+\n         BNX2X_FIRST_QUEUE_QUERY_IDX];\r\n\r\nFP_SB_MAX_E1x is defined as the maximum number of fast path interrupts and\nhas a value of 16, while BNX2X_FIRST_QUEUE_QUERY_IDX has a value of 3\nmeaning the array has a total size of 19.\nSince accesses to \u0026quot;struct stats_query_entry query\u0026quot; are offset-ted by\nBNX2X_FIRST_QUEUE_QUERY_IDX, that means that the total number of Ethernet\nqueues should not exceed FP_SB_MAX_E1x (16). However one of these queues\nis reserved for FCOE and thus the number of Ethernet queues should be set\nto [FP_SB_MAX_E1x -1] (15) if FCOE is enabled or [FP_SB_MAX_E1x] (16) if\nit is not.\r\n\r\nThis is also described in a comment in the source code in\ndrivers/net/ethernet/broadcom/bnx2x/bnx2x.h just above the Macro definition\nof FP_SB_MAX_E1x. Below is the part of this explanation that it important\nfor this patch\r\n\r\n/*\n  * The total number of L2 queues, MSIX vectors and HW contexts (CIDs) is\n  * control by the number of fast-path status blocks supported by the\n  * device (HW/FW). Each fast-path status block (FP-SB) aka non-default\n  * status block represents an independent interrupts context that can\n  * serve a regular L2 networking queue. However special L2 queues such\n  * as the FCoE queue do not require a FP-SB and other components like\n  * the CNIC may consume FP-SB reducing the number of possible L2 queues\n  *\n  * If the maximum number of FP-SB available is X then:\n  * a. If CNIC is supported it consumes 1 FP-SB thus the max number of\n  *    regular L2 queues is Y=X-1\n  * b. In MF mode the actual number of L2 queues is Y= (X-1/MF_factor)\n  * c. If the FCoE L2 queue is supported the actual number of L2 queues\n  *    is Y+1\n  * d. The number of irqs (MSIX vectors) is either Y+1 (one extra for\n  *    slow-path interrupts) or Y+2 if CNIC is supported (one additional\n  *    FP interrupt context for the CNIC).\n  * e. The number of HW context (CID count) is always X or X+1 if FCoE\n  *    L2 queue is supported. The cid for the FCoE L2 queue is always X.\n  */\r\n\r\nHowever this driver also supports NICs that use the E2 controller which can\nhandle more queues due to having more FP-SB represented by FP_SB_MAX_E2.\nLooking at the commits when the E2 support was added, it was originally\nusing the E1x parameters: commit f2e0899f0f27 (\u0026quot;bnx2x: Add 57712 support\u0026quot;).\nBack then FP_SB_MAX_E2 was set to 16 the same as E1x. However the driver\nwas later updated to take full advantage of the E2 instead of having it be\nlimited to the capabilities of the E1x. But as far as we can tell, the\narray \u0026quot;stats_query_entry query\u0026quot; was still limited to using the FP-SB\navailable to the E1x cards as part of an oversignt when the driver was\nupdated to take full advantage of the E2, and now with the driver being\naware of the greater queue size supported by E2 NICs, it causes the UBSAN\nwarnings seen in the stack traces below.\r\n\r\nThis patch increases the size of the \u0026quot;stats_query_entry query\u0026quot; array by\nreplacing FP_SB_MAX_E1x with FP_SB_MAX_E2 to be large enough to handle\nboth types of NICs.\r\n\r\nStack traces:\r\n\r\nUBSAN: array-index-out-of-bounds in\n       drivers/net/ethernet/broadcom/bnx2x/bnx2x_stats.c:1529:11\nindex 20 is out of range for type \u0026apos;stats_query_entry [19]\u0026apos;\nCPU: 12 PID: 858 Comm: systemd-network Not tainted 6.9.0-060900rc7-generic\n\t     #202405052133\nHardware name: HP ProLiant DL360 Gen9/ProLiant DL360 \n---truncated---(CVE-2024-42148)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntcp_metrics: validate source addr length\r\n\r\nI don\u0026apos;t see anything checking that TCP_METRICS_ATTR_SADDR_IPV4\nis at least 4 bytes long, and the policy doesn\u0026apos;t have an entry\nfor this attribute at all (neither does it for IPv6 but v6 is\nmanually validated).(CVE-2024-42154)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ns390/pkey: Wipe sensitive data on failure\r\n\r\nWipe sensitive data from stack also if the copy_to_user() fails.(CVE-2024-42157)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nf2fs: check validation of fault attrs in f2fs_build_fault_attr()\r\n\r\n- It missed to check validation of fault attrs in parse_options(),\nlet\u0026apos;s fix to add check condition in f2fs_build_fault_attr().\n- Use f2fs_build_fault_attr() in __sbi_store() to clean up code.(CVE-2024-42160)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmedia: dvb-frontends: tda10048: Fix integer overflow\r\n\r\nstate-\u0026gt;xtal_hz can be up to 16M, so it can overflow a 32 bit integer\nwhen multiplied by pll_mfactor.\r\n\r\nCreate a new 64 bit variable to hold the calculations.(CVE-2024-42223)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nUSB: serial: mos7840: fix crash on resume\r\n\r\nSince commit c49cfa917025 (\u0026quot;USB: serial: use generic method if no\nalternative is provided in usb serial layer\u0026quot;), USB serial core calls the\ngeneric resume implementation when the driver has not provided one.\r\n\r\nThis can trigger a crash on resume with mos7840 since support for\nmultiple read URBs was added back in 2011. Specifically, both port read\nURBs are now submitted on resume for open ports, but the context pointer\nof the second URB is left set to the core rather than mos7840 port\nstructure.\r\n\r\nFix this by implementing dedicated suspend and resume functions for\nmos7840.\r\n\r\nTested with Delock 87414 USB 2.0 to 4x serial adapter.\r\n\r\n[ johan: analyse crash and rewrite commit message; set busy flag on\n         resume; drop bulk-in check; drop unnecessary usb_kill_urb() ](CVE-2024-42244)","affected":[{"package":{"ecosystem":"openEuler:20.03-LTS-SP4","name":"kernel","purl":"pkg:rpm/openEuler/kernel\u0026distro=openEuler-20.03-LTS-SP4"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"4.19.90-2408.3.0.0290.oe2003sp4"}]}],"ecosystem_specific":{"aarch64":["bpftool-4.19.90-2408.3.0.0290.oe2003sp4.aarch64.rpm","bpftool-debuginfo-4.19.90-2408.3.0.0290.oe2003sp4.aarch64.rpm","kernel-4.19.90-2408.3.0.0290.oe2003sp4.aarch64.rpm","kernel-debuginfo-4.19.90-2408.3.0.0290.oe2003sp4.aarch64.rpm","kernel-debugsource-4.19.90-2408.3.0.0290.oe2003sp4.aarch64.rpm","kernel-devel-4.19.90-2408.3.0.0290.oe2003sp4.aarch64.rpm","kernel-source-4.19.90-2408.3.0.0290.oe2003sp4.aarch64.rpm","kernel-tools-4.19.90-2408.3.0.0290.oe2003sp4.aarch64.rpm","kernel-tools-debuginfo-4.19.90-2408.3.0.0290.oe2003sp4.aarch64.rpm","kernel-tools-devel-4.19.90-2408.3.0.0290.oe2003sp4.aarch64.rpm","perf-4.19.90-2408.3.0.0290.oe2003sp4.aarch64.rpm","perf-debuginfo-4.19.90-2408.3.0.0290.oe2003sp4.aarch64.rpm","python2-perf-4.19.90-2408.3.0.0290.oe2003sp4.aarch64.rpm","python2-perf-debuginfo-4.19.90-2408.3.0.0290.oe2003sp4.aarch64.rpm","python3-perf-4.19.90-2408.3.0.0290.oe2003sp4.aarch64.rpm","python3-perf-debuginfo-4.19.90-2408.3.0.0290.oe2003sp4.aarch64.rpm"],"src":["kernel-4.19.90-2408.3.0.0290.oe2003sp4.src.rpm"],"x86_64":["bpftool-4.19.90-2408.3.0.0290.oe2003sp4.x86_64.rpm","bpftool-debuginfo-4.19.90-2408.3.0.0290.oe2003sp4.x86_64.rpm","kernel-4.19.90-2408.3.0.0290.oe2003sp4.x86_64.rpm","kernel-debuginfo-4.19.90-2408.3.0.0290.oe2003sp4.x86_64.rpm","kernel-debugsource-4.19.90-2408.3.0.0290.oe2003sp4.x86_64.rpm","kernel-devel-4.19.90-2408.3.0.0290.oe2003sp4.x86_64.rpm","kernel-source-4.19.90-2408.3.0.0290.oe2003sp4.x86_64.rpm","kernel-tools-4.19.90-2408.3.0.0290.oe2003sp4.x86_64.rpm","kernel-tools-debuginfo-4.19.90-2408.3.0.0290.oe2003sp4.x86_64.rpm","kernel-tools-devel-4.19.90-2408.3.0.0290.oe2003sp4.x86_64.rpm","perf-4.19.90-2408.3.0.0290.oe2003sp4.x86_64.rpm","perf-debuginfo-4.19.90-2408.3.0.0290.oe2003sp4.x86_64.rpm","python2-perf-4.19.90-2408.3.0.0290.oe2003sp4.x86_64.rpm","python2-perf-debuginfo-4.19.90-2408.3.0.0290.oe2003sp4.x86_64.rpm","python3-perf-4.19.90-2408.3.0.0290.oe2003sp4.x86_64.rpm","python3-perf-debuginfo-4.19.90-2408.3.0.0290.oe2003sp4.x86_64.rpm"]}}],"references":[{"type":"ADVISORY","url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1996"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-48860"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-39509"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-41012"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-41034"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-41035"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-41046"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-41059"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-41065"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-41087"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-42084"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-42087"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-42089"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-42096"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-42102"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-42105"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-42143"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-42148"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-42154"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-42157"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-42160"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-42223"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-42244"}],"database_specific":{"severity":"High"}}